Skip to content

Instantly share code, notes, and snippets.

@FeepingCreature

FeepingCreature/gist:8a60cb72d38b1848bec19728b8189a9f

Created May 6, 2023 20:19
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save FeepingCreature/8a60cb72d38b1848bec19728b8189a9f to your computer and use it in GitHub Desktop.
Save FeepingCreature/8a60cb72d38b1848bec19728b8189a9f to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
int main() {
unsigned char *target = mmap(NULL, 1024, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
Buffer buffer = {target, 1024, 0};
char *param = "Hello World\n";
void (*fn)(char*) = (void(*)(char*)) printf;
append_x86_64_push_reg(&buffer, X86_64_RBP);
append_x86_64_set_reg_reg(&buffer, X86_64_RBP, X86_64_RSP);
append_x86_64_set_reg_imm(&buffer, X86_64_RDI, (size_t) param);
append_x86_64_set_reg_imm(&buffer, X86_64_RAX, (size_t) fn);
append_x86_64_call_reg(&buffer, X86_64_RAX);
append_x86_64_pop_reg(&buffer, X86_64_RBP);
append_x86_64_ret(&buffer);
for (int i = 0; i < buffer.offset; i += 8) {
for (int k = i; k < ((i + 8 < buffer.offset) ? (i + 8) : buffer.offset); k++) {
printf("%02x ", buffer.data[k]);
}
printf("\n");
}
mprotect(buffer.data, buffer.length, PROT_EXEC);
union pedantic_convert generated_fn;
generated_fn.ptr = buffer.data;
generated_fn.funcptr();
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment